Managed network content monitoring and filtering system and method

ABSTRACT

A system and method for content request monitoring and filtering for a plurality of managed devices in a managed network uses a smart PAC file that is uniquely associated with a particular user using a particular managed device and a DNS look up to perform both the logging/monitoring of the content request and the filtering without a hardware appliance or partial proxying.

PRIORITY CLAIMS/RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/836,839 filed Mar. 31, 2020 which in turn is a divisional of andclaims priority to U.S. patent application Ser. No. 16/414,728 filed May16, 2019 which claims the benefit under 35 USC 119(e) and priority under35 USC 120 to U.S. Provisional Patent Application Ser. No. 62/672,964filed May 17, 2018 and are entitled “Managed Network Content MonitoringAnd Filtering System And Method,” the entirety of which is incorporatedherein by reference.

FIELD

The disclosure relates generally to a system and method for monitoringand filtering internet content for a managed network.

BACKGROUND

The idea of monitoring and filtering content and web browsing for amanaged device is well known. In a first conventional system, an in-linehardware appliance is inserted into the path between the managed networkand the Internet to monitor and filter content requests. These in-linehardware appliances require a piece of relatively expensive hardwareinstalled at any ports to the Internet and are difficult to manage by anIT person of the managed network. Other known systems implement a domainname service (DNS) or proxy approach that logs the content request sitesand takes filtering actions and is typically implemented in software orthe cloud. This proxy type approach requires a huge bandwidth cost ifthe proxy is proxying all content requests. Some proxy systems use aselective proxying approach in which the proxy chooses which contentrequest will be proxied. However, the selective proxying approach cannotkeep up with content development making the selective proxying approachless secure. For example, the selective proxy may have a list of sitesthat are monitored, but will not be able to log access to a newlycreated site until the list of monitored sites are updated in theselective proxy. Other known systems use a piece of software installedon each managed device to monitor and filter content. However, to make acommercially viable product, the developer must develop a version of thesoftware for each different managed device and each different operatingsystem which is difficult.

Some known systems use a proxy auto-config (PAC) file that defines how aweb browser of each managed device can automatically choose theappropriate proxy server (access method) for fetching a given uniformresource locator (URL). The PAC file contains a Javascript function“FindProxyForURL(url, host)”. This function returns a string with one ormore access method specifications. These specifications cause the useragent to use a particular proxy server or to connect directly. Like theselective proxying above, this method has the same problem that theproxying is behind the content development resulting in reduced securityfor the managed network.

All of the above technical problems with existing monitoring andfiltering systems result in a need for a monitoring and filtering systemthat overcomes these limitations and problems with the conventionalsystems and it is to this end that the disclosure is directed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example of a system for monitoring and filteringcontent for one or more managed devices of a managed network;

FIG. 2 illustrates the system for monitoring and filtering content ofFIG. 1 and its method for associating a customer identifier with auniversally unique identifier;

FIG. 3 illustrates the system for monitoring and filtering content ofFIG. 1 and its method for monitoring and filtering a content requestfrom a managed device;

FIGS. 4A and 4B illustrate a data flow for an exemplary implementationof the method for content request monitoring and filtering;

FIG. 5 illustrates a data flow for another exemplary implementation ofthe method for content request monitoring and filtering; and

FIG. 6 illustrates an example of a smart proxy auto config file that maybe used by the system.

Detailed Description of One or More Embodiments

The disclosure is particularly applicable to monitoring/logging andfiltering content from content requests for a plurality of manageddevices connected to an entity managed network and it is in this contextthat the disclosure will be described. For purposes of illustration, anexample use case is described in which the entity is a school districtand the managed devices are used by teachers and students, each of whosecontent is monitored and filtered differently due in part to a proxyauto-config (PAC) file that is unique for each user as described below.It will be appreciated, however, that the system and method has greaterutility since it may be used to monitor and filter content for anyentity managed network and may also be implemented in different mannersthan the examples described below and shown in the attached figures.

A system and method for monitoring and filtering content from theInternet based on content requests for a plurality of managed devicesthat connect to an entity managed network may utilize a smart PAC file,a universally unique identifier (UUID) assigned to each user of eachmanaged device, a domain name service (DNS) lookup to monitor thecontent request and decide whether the particular request is permittedso that each managed device can then enforce the content filteringdecision. The system and method, as described below in more detail,implement a content filtering process that is unconventional, notroutine and not well understood. Specifically, since known contentfiltering system use the techniques described in the background and havebeen doing so for a long time, the unique combination of processes isunconventional as compared to the known content filtering system, is notroutine nor well understood. Furthermore, the disclosed system uses anovel arrangement and location of the elements of the system includingthe smart PAC file at the web server and the generation of the UUID foreach user of the managed device that is returned with the smart PACfile, the synchronization of the UUID to a remote DNS server, the remoteDNS server logging/monitoring the content request based on the contentrequest and the UUID of the user making the content request (withoutproxying all content requests like conventional systems) and the manageddevice remote from the DNS server and web server enforcing the webcontent policy for the particular managed device.

The system and method described below further provides a technicalsolution to the technical problems of the known monitoring and filteringcontent systems. For example, the disclosed system does not require anexpensive hardware appliance at each port or the complicated managementrequired for hardware appliances while still providing the contentrequest monitoring/logging and filtering and the ability to monitor allsites visited as described below. Similarly, the disclosed system doesnot require proxying each content request that is bandwidth intensiveand slow and does not use selective proxying that is less secure.Similarly, the disclosed system does not require installing software oneach monitored device or operating system.

FIG. 1 illustrates an example of a system 100 for monitoring andfiltering content for one or more managed devices 102 of an entitymanaged network that is shown below the dotted line in FIG. 1 forcontent requested from the Internet shown above the dotted line. Thesystem 100 for monitoring and filtering content, like other knownsystems, acts as a gatekeeper that prevents a user who is using amanaged device 102 from accessing certain content or types of contentfrom other networks or the Internet. The system 100, however,accomplishes this goal using a novel arrangement of components andprocesses that overcomes the problems and limitations of the knownsystems described above.

The system 100 may include the one or more managed devices 102 each ofwhich is being used by a user employed or associated with the entity,such as teachers, administrators and students at a school district, toaccess content on an external network or the Internet. The system 100may be used with any managed device 102 that has a processor, memory anda display in which the processor of the managed device executes awell-known browser application or other application to access contentexternal to the entity managed network (known as external contenthereinafter). For example, the managed devices 102 may include aterminal device, a tablet computer, a smartphone device 102A, such as anApple® iPhone® or Android® operating system based device, a laptopcomputer 102B, . . . , and a desktop computer 102N. While each manageddevice 102 is conventional and routine since each is commerciallyavailable, the content monitoring and filtering processes achieved usingthose managed devices is not conventional, well-understood or routine asdescribed below in more detail.

The system 100 may also include a web server 104, a DNS server 106 and asmart PAC file 108 hosted at the web server 104 that collectivelyprovide the content request monitoring and filtering processes. The webserver and the DNS server are each conventional and well known pieces ofcomputer hardware, but each have a plurality of lines of computer codeexecuted by a processor of each server that implement the unconventionalcontent request filtering processes described below. Thus, the systemuses these well-known computer elements in a novel way and configurationdue to the plurality of instructions that perform processes thatovercome the limitations and problems with the conventional monitoringand filtering content systems.

The operation of the system will now be described. It should beunderstood that although the operation is being described as actionsbeing performed by the elements shown in FIG. 1, the content monitoringand filtering method and its processes may be performed using otherelements and the method is not limited to the elements shown in FIG. 1performing the method processes.

In operation, a network management administrator first configures alldevices in the managed network to use a PAC file location (108) hostedon the web server location (104). When a user first submits a contentrequest for content (whether external to the entity managed network orstored within the entity managed network), the browser application ofthe managed device 102 may issue a GET PAC request 120 to the web server104 to retrieve a PAC file 108 that contains the method for contentspecifications for filtering content as described above. In this system,the web server 104 may return a smart PAC file unique to each user 122wherein that smart PAC file may include a universally unique identifier(UUID) for each user (such as johnsmith@exampleschool.org in an examplein which a school district is using the monitoring and filtering system,and usually tracked via web-authentication & cookies by a web serversuch as 104) that is generated by the web server 104 and returned to themanaged device 102 with or as part of the PAC file 108 that is uniquefor the user. This process may be implemented using remote procedurecalls (RPCs) and further details of this process is described below.Thus, in the example in FIG. 1, each managed device 102A-102N receives aunique PAC and the UUID that associates the user with the particular PACfile. Each unique PAC file has the specifications (the policy) thatcontrol the content filtering for each user. As part of the aboveprocess, the association of the particular PAC with a particular user(and unique ID or tracking number) may be synchronized from a database200 of the web server 104 onto a database 202 of the domain name service(DNS) server 106 of the web filtering company as shown in FIG. 2. Thissynchronization allows the domain name service (DNS) server 106 of theweb filtering company to perform the DNS lookup for each user andmonitor/track and make filtering decisions about the content requestsfor each user and providing a technical solution.

When a user of the managed device makes a content request, the contentrequest includes the request for the content (including the host anduniform resource location (URL)) and the UUID. The content request iscommunicated from the browser to a DNS server 300 of the entity for themanaged network and may be passed onto a root DNS server since thecontent request includes a link to the web filtering company. Thecontent request may then be communicated (322) onto the web filteringcompany DNS server 106 using RPCs as shown in FIG. 3 as described belowin more detail. The web filtering DNS server, through a DNS look-up, maymonitor/track the content request and may determine a filtering decisionfor the particular content request from the particular user based on theUUID as described below in more detail. The web filtering DNS server mayalso include a process in which a decision is made, for each contentrequest, to either perform the DNS lookup for filtering or use the PACfile and perform typical proxying of the content request that aredescribed below in more detail. The DNS server 106 may communicate thecontent request decision (324) back to the local DNS server 300. Thecontent request decision may then be communicated back (326) to themanaged device 102B and the browser of the managed device 102B enforcesthe content request decision as shown in FIG. 3.

FIGS. 4A and 4B illustrate a data flow for an exemplary implementationof the method for content request monitoring and filtering for eachcontent request made by a user using a managed device in the entitymanaged network. The data flow shown in FIGS. 4A and 4B show the processfor monitoring and filtering for a managed device and user that needs toobtain the PAC file and the UUID/DID/tracking number since theparticular user and managed device is new to the network, has had itscache of cookies with the tracking number flushed or deleted or has notrecently accessed Internet content. The entities that are part of thedata flow include a browser, PAC logic that may be a part of any browserapplication, the DNS server 106 and a cluster of web servers(useast-www.securly.com for example) operated by the web filteringcompany. In the example in FIGS. 4A and 4B, a user is seeking to accesscontent from www.evite. corn (a well-known electronic invitation site),but the process in FIGS. 4A and 4B may be used to monitor and filteraccess to any type of content and is clearly not limited to accessingany particular type of content.

The data flow may include a process 400 of requesting and receiving thePAC file, a proxy decision process 402 and a brokering process 404.During the process 400, the PAC logic of a browser of a managed devicethat has not accessed the Internet recently or, is a new managed deviceon the network, etc. will request a proxy auto-config (PAC) file using aGET command (such as GET/smart.pac?fid- . . . &cluster-useast as shownin FIGS. 4A and 4B) which is a standard process that a browserapplication performs for a managed device that does not already have aPAC file. However, unlike the typical and conventional PAC file that hasmethods for access permissions, the smart PAC file has the Javascriptcode for access permissions (and other code for the content monitoringand filtering an example of which is shown in FIG. 6) and an identifier(or a tracking number) for each managed device and user that isuniversally unique. In the example in FIGS. 4A and 4B, the clusteruseast returns the smart PAC file that include the identifier “123”(called DID in the example—that translates to a user such asjohnsmith@exampleschool.org tracked by the web server 104) thatuniversally uniquely identifies the managed device and the userpresently using the managed device. In the implementation shown in FIGS.4A and 4B, a Set-Cookie DID—123 may be used to assign the DID to themanaged device and the user presently using the managed device. Thetracking number associated with the PAC file that uniquely identifieseach managed device and user of the managed device is also associatedwith a filtering policy for the user and then other systems, like theDNS server 106, receives the tracking number and can execute theappropriate filtering based on the associated policy.

The data flow now proceeds to the proxy decision process 402. Duringthis process 402 and the brokering process 404 shown in FIGS. 4A and 4B,remote procedure calls (RPCs) may be used to communicate and transferinformation between different systems including the PAC, the DNS server,the web server, etc. for monitoring and filtering. While it is known androutine to use an RPC call for spam filtering techniques, it isunconventional, not routine and not well understood to use RPC calls forcontent monitoring and filtering for data communicating (including thehost and URL of the content request and the DID/tracking number) betweenthe system elements including the smart PAC 108, the web server 104 andthe DNS server 106 of the system. The RPC calls may have the format of:arguments.endpoint.cluster.vlapi.securly.com which is a unique andunconventional API interface standard for communicating with the contentmonitoring and filtering system over the DNS protocol. Each RPC call mayhave endpoint called on a particular cluster with a series of argumentsand return a value. In one example used in FIGS. 4A and 4B, the clustermay be useast and useast.v1api.securly.com is the DNS subdomain used forweb content monitoring and filtering. In the above format, the endpointis a name of an API call such as log, prx or mip, arguments may be aseries of text strings separated by period and the return value may be,for example, an IP address (integers), although other return values arepossible. In one implementation, a return value, for a prx RPC, ofXXX.0.0.2 indicates that a proxy will be used for the particular contentrequest and a return value of XXX.0.0.1 indicates that the DNS lookupprocess (shown in more detail in FIG. 5) may be performed where XXX is athree digit number.

In the proxy decision process 402, an RPC call is initiated by the PAClogic in the browser from the PAC to the filtering DNS server 106. Forexample, for a content request to www.evite.com, the RPC call may bewww.evite.com/welcome.123.prx.vlapi.securly.com where “prx” is theparticular RPC call, “123” is the tracking number that associates thePAC file with the particular managed device and user who made thecontent request. This RPC call provides an unconventional mechanism forthe web content monitoring and filtering system to communicate data fromthe smart PAC to the DNS server 106. In more detail, the RPC callprovides PAC navigation logging in that the PAC can transmit informationabout what hosts and URL the user is visiting (“www.evite.com” being thehost and “www.evite.com/welcome” being the URL) and it's PAC identity(the tracking number or DID). The PAC navigation logging allows the DNSserver 106 to receive policy information for the particular user and theparticular managed device to apply to the hosts/URL's in the contentrequest and take action to log information about the user's activitywhether or not the user's content request is proxied as described below.This unconventional technique in the content filtering industry allowsthe system to log information about the user and his/her contentrequests while avoiding incurring the expense of proxying the user whichis the major competitive advantage.

In the proxy decision process 402 in FIGS. 4A and 4B, the trackingnumber of the PAC (123 in this example) is not yet known to the DNSserver 106 since the synchronization of the PAC and tracking numberassociation with the DNS server 106 has not occurred. Thus, since thecontent request has a tracking number that is unknown, the DNS look upprocess (based on the RPC) returns 127.0.0.2 indicating that the PAC isunknown (since the DNS server 106 does not have the association of theprovided tracking number to any PAC assigned to a particular user andmanaged device) and to use proxying using the PAC file of the particularuser and managed device. The PAC logic receives the response from theDNS server 106 and sends a command to perform proxying for theparticular content request.

During the brokering process 404, the tracking number for the particularPAC file assigned to the particular user using the particular manageddevice may be synchronized to the DNS server 106 so that the DNS server106 recognizes the particular PAC file and can perform the DNS lookup tomonitor and filter the content request of the particular user using theparticular managed device. In the example in FIGS. 4A and 4B, since theDID/tracking number associated with the particular PAC file is missing(since the PAC file was only recently assigned the 123 tracking number),the brokering process uses a sync RPC (communicating data from thecluster/DNS server to the browser/smart PAC) with a token (for examplehttp://token.sync.pacprc.useast.vlapi.securly.com/smart.pac?parprc=svnc&argument=TOKEN&redirect=NEXTURL as shown in FIG. 4) wherein the token is a restoretoken and the NEXTURL is a URL to redirect back when the brokering iscompleted. Note this is another example of an unconventional use of aRPC to perform data communications during content monitoring andfiltering. In more detail, when the PAC detects the RPC call, the PACgenerates a RES DNS RPS call (as shown in FIGS. 4A and 4B) to fix thecurrent DID/tracking number to the TOKEN and synchronize the informationabout the PAC file and the DID to the DNS server 106. In the brokeringprocess, the browser follows the redirect and asks the PAC for a proxydecision and the PAC logic sees the special host name(vlapi.securely.com) and generates an API call over DNS lookup (forexample, did.token.res.v1api.securely.com to the DNS server 106) thatreturns 127.0.0.1 and restores the DID to the cookie (and binds the DIDto the token in the database of the DNS server 106) when thatassociation is lost. This is again another example of the unconventionaluse of an RPC call for content monitoring and filtering. Once the DID tothe TOKEN is fixed, the PAC is informed of this and then instructs thebrowser not to use the proxy and instead use the DNS lookup, such astoken.res.useast.v1api.securely.com that is sent to the DNS server 106that returns decision (allow, deny or partial proxying of the contentrequest). A PHP script in the browser then loads the DID looking up thetoken in the database (redis in one implementation) and fixes the cookiesuch as by using GET/smart.pac? . . . HOST.token.res.useast.v1api.securely.com that is sent to the cluster. Thecluster sends back a confirmation message that the cookie and DIDassociation is completed.

FIG. 5 illustrates a data flow for another exemplary implementation ofthe method for content request monitoring and filtering for directaccess when the DID of the PAC file for the particular user andparticular managed device is known to the DNS server 106 so that a DNSlookup may be used to perform the monitoring and filtering. In this dataflow, a user may request data from www.evite.com through the browser andthe PAC logic may lookup “securlydns.securly.com” that returns anindication that the user/managed device is not on the managed network atthe time of the content request (for example, the managed device is notin school when the system is being used to managed a school network) andthe PAC logic generates a DNS lookup (for example,www.evite.com.123.prx.vlapi.securely.com) using a RPC call to the DNSserver 106. The DNS server 106 logs the content request (device=123 andsite is www.evite.com) into a log file (to perform themonitoring/logging aspect of the system without proxying) and the DNSserver returns a filtering decision to allow the content request andinstructs the PAC file to go direct and the browser then directlyaccesses the requested content. In this way, the site visited and theuser visiting the site, are both logged by the DNS server 106, withoutthe need for any appliance, proxying or software installed on theoperating system or device—purely using the PAC file and DNS service ofthe web-filter company.

The DNS lookup described above incorporates a bypass feature that allowsthe inventive DNS lookup to disable the PAC file 108 entirely in certainsituations. In particular, the system may determine if the contentrequest originates from the managed network or originates from elsewhere(for example child with managed device at home and not on school networkin the example of a school district managed network) and adjust themethod of filtering while still monitoring/logging the content request.Specifically, if the request originates from a server in the managednetwork served directly by the web filtering company's DNS service 104,the DNS server 104 is able to detect the direct access based on thesource (e.g. via a source IP address lookup) and use an RPC responsethat requests the PAC file 108 to shut itself down. In this case thenthe normal DNS lookup monitoring and filtering process is used withoutany additional involvement of the PAC file 108. However, if the contentrequest is made with the PAC file (not DNS directly since the manageddevice made the request from a different network), the DNS server 104 isable to detect that the request came via the DNS Root Servers andhierarchical DNS propagation, and request the PAC file to stay activeand not shut itself down. In this case then, the PAC file 108 is used indetermining filtering although the logging is still performed as isshown in FIG. 5.

The above monitoring and filtering for a content request also has aprocess to handle when a user logs out from a managed device. Inparticular, when a user logs out of a managed device, the web server 104shown in FIG. 1 sends an RPC to the PAC file that flushes the cache andlogs thus invalidates the cache and logs to the PAC. Thus process alsoflushes the tracking number/DID association with the user identifier andthe token discussed above. When another user or the same user (a “newuser” for purposes of the monitoring and filtering) log onto the manageddevice, the system performs the process of FIGS. 4A and 4B to associatethe PAC file of the “new” user with a tracking number and performs thebrokering. In this manner, the content monitoring and filtering systemhandles when a user logs out of a managed device and prevents, forexample, a teacher's content profile that is more liberal than student'scontent profile, from being used by a student who subsequently logs intothe managed device. The above process also handles a situation of ashared managed device wherein the different users may have a differentcontent filtering profile since the logging out of each user nullifiesthe content policy of that user. The above process also handles thesituation in which a nefarious user is trying to circumvent the contentfiltering system by deleting the cookies stored in the browser of themanaged device since the deletion of the cookies causes the process ofFIGS. 4A and 4B to be executed as if the user is logging into themanaged device for the first time.

The PAC file for a user and managed device and its association to thetracking number may also be used for internal IP addressfusing/tracking. In particular, different PAC's on the same client 1Pcan be fused together for the purpose of applying policy data usingtheir “Internal IP” that is the private IP the device is registeredunder on the entity managed network that is normally invisible to cloudproviders. This IP address tracking/fusing allows the above describedsystem to execute on content policy using that internal IP like aphysical appliance is able to do, but without the limitations anddrawbacks of the physical appliance. In more detail, the PAC file may betracked for an app executing on the managed device. Although the app hasno login that would normally allow the content monitoring and filtering,the user still logs into the browser so that the system can monitor andfilter content for the apps as described above.

In addition to the monitoring and filtering activities described abovecarried out using the smart PAC file and the universally uniqueidentifier for the user and managed device, the smart PAC file and thesystem may also be used to provide a pause feature and/or a timescheduling feature. The pause feature may enable the internet (access toa network outside of the entity network) to be remotely paused and thenresumed for any particular managed device at any particular time. Thepause feature may be implemented by the web server sending a pauseinstruction to the smart PAC of a particular managed device or one ormore managed devices. The instruction may be send using an RPC asdescribed above. In one implementation, the pause instruction may resultin access being denied to all outside resources. At the end of thepausing of the Internet (whenever that may be), the web server may senda normal operation (or stop pause) command using the same processesdescribed above and the filtering policy associated with the universallyunique identifier for the managed device will be used again to monitorand filter the content.

The time scheduling feature may allow for time scheduled monitoring andfiltering of content for all web sites (or a particular web site) for amanaged device instead of the static monitoring and filtering thatoperates at all times. For example, a time schedule may be created for amanaged device being used by a particular user, such as a student, and auser of the system, such as a parent or the school or whomever hasauthority to set permissions for the user of the managed device. Thatuser can create or change the allow/deny monitoring and filtering rules(that are part of the monitoring and filtering process) based on a timeschedule for the managed device so that the monitoring and filtering maybe performed on a time schedule. The system may allow the user tochange/create the monitoring and filtering rules on the fly. Forexample, for a student at a school, the monitoring and filtering rulesmay be different at different times of the day, such as homework time inwhich access may be denied to all non-educational sites, bed time inwhich all access is denied and a fun/gaming time when the student isallowed to access certain sites. This time schedule feature can beimplemented similar to the pause feature and the web server maycommunicate instructions about the time schedule and the monitoring andfiltering rules during each time period to the smart PAC that canimplement those changes.

The foregoing description, for purpose of explanation, has beendescribed with reference to specific embodiments. However, theillustrative discussions above are not intended to be exhaustive or tolimit the disclosure to the precise forms disclosed. Many modificationsand variations are possible in view of the above teachings. Theembodiments were chosen and described in order to best explain theprinciples of the disclosure and its practical applications, to therebyenable others skilled in the art to best utilize the disclosure andvarious embodiments with various modifications as are suited to theparticular use contemplated.

The system and method disclosed herein may be implemented via one ormore components, systems, servers, appliances, other subcomponents, ordistributed between such elements. When implemented as a system, suchsystems may include an/or involve, inter alia, components such assoftware modules, general-purpose CPU, RAM, etc. found ingeneral-purpose computers. In implementations where the innovationsreside on a server, such a server may include or involve components suchas CPU, RAM, etc., such as those found in general-purpose computers.

Additionally, the system and method herein may be achieved viaimplementations with disparate or entirely different software, hardwareand/or firmware components, beyond that set forth above. With regard tosuch other components (e.g., software, processing components, etc.)and/or computer-readable media associated with or embodying the presentinventions, for example, aspects of the innovations herein may beimplemented consistent with numerous general purpose or special purposecomputing systems or configurations. Various exemplary computingsystems, environments, and/or configurations that may be suitable foruse with the innovations herein may include, but are not limited to:software or other components within or embodied on personal computers,servers or server computing devices such as routing/connectivitycomponents, hand-held or laptop devices, multiprocessor systems,microprocessor-based systems, set top boxes, consumer electronicdevices, network PCs, other existing computer platforms, distributedcomputing environments that include one or more of the above systems ordevices, etc.

In some instances, aspects of the system and method may be achieved viaor performed by logic and/or logic instructions including programmodules, executed in association with such components or circuitry, forexample. In general, program modules may include routines, programs,objects, components, data structures, etc. that perform particular tasksor implement particular instructions herein. The inventions may also bepracticed in the context of distributed software, computer, or circuitsettings where circuitry is connected via communication buses, circuitryor links. In distributed settings, control/instructions may occur fromboth local and remote computer storage media including memory storagedevices.

The software, circuitry and components herein may also include and/orutilize one or more type of computer readable media. Computer readablemedia can be any available media that is resident on, associable with,or can be accessed by such circuits and/or computing components. By wayof example, and not limitation, computer readable media may comprisecomputer storage media and communication media. Computer storage mediaincludes volatile and nonvolatile, removable and non-removable mediaimplemented in any method or technology for storage of information suchas computer readable instructions, data structures, program modules orother data. Computer storage media includes, but is not limited to, RAM,ROM, EEPROM, flash memory or other memory technology, CD-ROM, digitalversatile disks (DVD) or other optical storage, magnetic tape, magneticdisk storage or other magnetic storage devices, or any other mediumwhich can be used to store the desired information and can accessed bycomputing component Communication media may comprise computer readableinstructions, data structures, program modules and/or other components.Further, communication media may include wired media such as a wirednetwork or direct-wired connection, however no media of any such typeherein includes transitory media. Combinations of the any of the aboveare also included within the scope of computer readable media.

In the present description, the terms component, module, device, etc.may refer to any type of logical or functional software elements,circuits, blocks and/or processes that may be implemented in a varietyof ways. For example, the functions of various circuits and/or blockscan be combined with one another into any other number of modules. Eachmodule may even be implemented as a software program stored on atangible memory (e.g., random access memory, read only memory, CD-ROMmemory, hard disk drive, etc.) to be read by a central processing unitto implement the functions of the innovations herein. Or, the modulescan comprise programming instructions transmitted to a general purposecomputer or to processing/graphics hardware via a transmission carrierwave. Also, the modules can be implemented as hardware logic circuitryimplementing the functions encompassed by the innovations herein.Finally, the modules can be implemented using special purposeinstructions (SIMD instructions), field programmable logic arrays or anymix thereof which provides the desired level performance and cost.

As disclosed herein, features consistent with the disclosure may beimplemented via computer-hardware, software and/or firmware. Forexample, the systems and methods disclosed herein may be embodied invarious forms including, for example, a data processor, such as acomputer that also includes a database, digital electronic circuitry,firmware, software, or in combinations of them. Further, while some ofthe disclosed implementations describe specific hardware components,systems and methods consistent with the innovations herein may beimplemented with any combination of hardware, software and/or firmware.Moreover, the above-noted features and other aspects and principles ofthe innovations herein may be implemented in various environments. Suchenvironments and related applications may be specially constructed forperforming the various routines, processes and/or operations accordingto the invention or they may include a general-purpose computer orcomputing platform selectively activated or reconfigured by code toprovide the necessary functionality. The processes disclosed herein arenot inherently related to any particular computer, network,architecture, environment, or other apparatus, and may be implemented bya suitable combination of hardware, software, and/or firmware. Forexample, various general-purpose machines may be used with programswritten in accordance with teachings of the invention, or it may be moreconvenient to construct a specialized apparatus or system to perform therequired methods and techniques.

Aspects of the method and system described herein, such as the logic,may also be implemented as functionality programmed into any of avariety of circuitry, including programmable logic devices (“PLDs”),such as field programmable gate arrays (“FPGAs”), programmable arraylogic (“PAL”) devices, electrically programmable logic and memorydevices and standard cell-based devices, as well as application specificintegrated circuits. Some other possibilities for implementing aspectsinclude: memory devices, microcontrollers with memory (such as EEPROM),embedded microprocessors, firmware, software, etc. Furthermore, aspectsmay be embodied in microprocessors having software-based circuitemulation, discrete logic (sequential and combinatorial), customdevices, fuzzy (neural) logic, quantum devices, and hybrids of any ofthe above device types. The underlying device technologies may beprovided in a variety of component types, e.g., metal-oxidesemiconductor field-effect transistor (“MOSFET”) technologies likecomplementary metal-oxide semiconductor (“CMOS”), bipolar technologieslike emitter-coupled logic (“ECL”), polymer technologies (e.g.,silicon-conjugated polymer and metal-conjugated polymer-metalstructures), mixed analog and digital, and so on.

It should also be noted that the various logic and/or functionsdisclosed herein may be enabled using any number of combinations ofhardware, firmware, and/or as data and/or instructions embodied invarious machine-readable or computer-readable media, in terms of theirbehavioral, register transfer, logic component, and/or othercharacteristics. Computer-readable media in which such formatted dataand/or instructions may be embodied include, but are not limited to,non-volatile storage media in various forms (e.g., optical, magnetic orsemiconductor storage media) though again does not include transitorymedia. Unless the context clearly requires otherwise, throughout thedescription, the words “comprise,” “comprising,” and the like are to beconstrued in an inclusive sense as opposed to an exclusive or exhaustivesense; that is to say, in a sense of “including, but not limited to.”Words using the singular or plural number also include the plural orsingular number respectively. Additionally, the words “herein,”“hereunder,” “above,” “below,” and words of similar import refer to thisapplication as a whole and not to any particular portions of thisapplication. When the word “or” is used in reference to a list of two ormore items, that word covers all of the following interpretations of theword: any of the items in the list, all of the items in the list and anycombination of the items in the list.

Although certain presently preferred implementations of the inventionhave been specifically described herein, it will be apparent to thoseskilled in the art to which the invention pertains that variations andmodifications of the various implementations shown and described hereinmay be made without departing from the spirit and scope of theinvention. Accordingly, it is intended that the invention be limitedonly to the extent required by the applicable rules of law.

While the foregoing has been with reference to a particular embodimentof the disclosure, it will be appreciated by those skilled in the artthat changes in this embodiment may be made without departing from theprinciples and spirit of the disclosure, the scope of which is definedby the appended claims.

What is claims is:
 1. A method, comprising: by a computer with aprocessor and a memory, receiving a request for a proxy-auto config(PAC) file from a browser of a managed device that has not accessed anInternet within a preset amount of time; sending, by the computer, tothe requesting browser, a PAC with a Javascript code for accesspermissions and an identifier for each managed device and correspondingunique user; correlating by the computer, the identifier with afiltering policy for the unique user; sending by the computer, theidentifier to a DNS server which can execute the correlated filteringpolicy; utilizing by the computer, remote procedure calls (RPCs) tomonitoring content and filtering information among PAC, web server andDNS server.
 2. The method of claim 1 wherein the request from thebrowser of the managed device that has not accessed the Internet withina preset amount of time is by a GET command.
 3. The method of claim 1wherein the PAC with the Javascript code also contains contentmonitoring code.
 4. The method of claim 1 wherein the PAC with theJavascript code also contains filtering code.
 5. The method of claim 1wherein the identifier is a tracking number.
 6. The method of claim 1wherein the unique identifier is a DID file.
 7. The method of claim 1wherein the RPC calls have a format ofarguments.endpoint.cluster.v1api.securly.com.
 8. The method of claim 1wherein the RPC call has an endpoint called on a particular cluster witha series of arguments to return a value.
 9. The method of claim 1further comprising, PAC navigation logging provided by the RPC callregarding what hosts and URL the user is visiting.